Strict Standards: Declaration of Walker_Comment::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::start_el() should be compatible with Walker::start_el(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::end_el() should be compatible with Walker::end_el(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/drkaos/kaos.to/blog/wp-includes/comment-template.php:0) in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/drkaos/kaos.to/blog/wp-includes/comment-template.php:0) in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

A guide to securing your home and home network with inexpensive hardware, open source software and about 8 hours of dedicated time. This is a living document, updated on a regular basis to reflect additional best practice methodologies, tips and tricks as they become available.

In this guide, we will walk you through the process of building and configuring security systems to protect your home and home/office network through the use of motion-sensing digital security cameras, advanced firewalls, intrusion detection systems, and realtime notification mechanisms.

In a mere eight hours, we will endeavor to build and configure a moderately sophisticated wired and wireless home or office LAN with a DMZ for public-facing services, strong ingress and egress filtering for all connected subnets and a realtime risk management console with live monitoring and alerts by email and/or telephone!

In the event you have older hardware lying around (i.e. old PC’s, Pentium or better), you should be able to secure your network without purchasing any (much) additional hardware. Otherwise, components can generally be purchased for less than $100/ea at major retail and electronics stores (i.e. BestBuy, CircuitCity, CompuUSA, etc.) and all of the software referenced in this guide is freely available, most under an OSI-approved OpenSource license.

Planning

Numerous tools (hardware and software) referenced in this text are interchangeable with other, similar tools, and where possible I will offer suggestions for such alternatives. Below is a materials list so you can start to determine what you might need to purchase prior getting started. For most, the total cost for this project will fall well under USD$400.00.

For your firewall:

[1+] Low-end PC (PII+) or generic mini-router w/ 3+ interfaces $0 - $100(I use an old repurposed Nokia IP110, you could also use a Soekris or OpenBrick.)

The first step in securing our castle will be that of establishing perimeter security by building and configuring our firewall. There are several solutions to firewalling our home networks, and although inexpensive wired/wireless routers, like those from Linksys and D-link, provide adequate perimeter security, they lack granularity and do very little to secure egress traffic. For this reason, even if you’ve purchased a WRT54G as suggested above, you will be replacing the on-board firmware with one that will allow more control over the firewalling process and provide the ability to interact with the rest of our network security and network monitoring systems (bearing in mind, of course, that this will invalidate your warranty).

If you are using a low-end PC, go ahead and install m0n0wall (or whatever firewall OS you chose).This process should take no more than about 30 minutes.

Personally, I’m using m0n0wall due to its small size, native ability to run from CompactFlash, its solid BSD base and slick configuration GUI. Other firewall OSes may offer different features; if necessary, do a bit of research before settling for one. (For instance, IPCop also provides Snort by default, offering IDS at the firewall for all connected interfaces. This may not be important to you if you plan to implement IDS on your monitoring server, however, which I will described below.)

Also, bear in mind that the number of interfaces in your firewall will determine your ability to effectively isolate wireless traffic from internal and DMZ subnets, which is highly desirable. Four interfaces should work well for this purpose. With only three, you will have to stick your WAP(s) onto either your DMZ or Internal networks, neither of which would I recommend, if it can be avoided. Given four interfaces, your network will look something like this:

When configuring your firewall rules, bear in mind the following considerations:

Initially you will want to block or reject all inbound traffic, to both the LAN and DMZ. Once you have OSSIM and ZoneMinder in place, you can decide if you want to allow access from the outside (or preferably only via VPN). Remember to try to limit inbound access to minimal services, if any at all. In an ideal world, you would allow nothing to the outside world (except, perhaps, basic web and/or mail — no open relays!) and only allow access to services in the DMZ via VPN, whether IPsec, SSL (OpenVPN) or even PPtP (ick).

Although you can allow “any” traffic from LAN to WAN, I highly recommend that you spend a little bit of time building a strong egress filtering ruleset. As a reference, you can refer to elmore’s Strong Egress Ruleset for PF, which provides numerous excellent examples of rules that limit outbound access while still ensuring necessary connectivity to the outside world.

Step 2: Build the Monitoring Server

Our monitoring server will actually serve multiple purposes, providing IDS, network and security monitoring, IP camera motion detection and capture, and realtime alerting via email, SMS and telephone. In an ideal world, and following security best practices, each of these services would be provided by a separate machine, though for our purposes, a single device should suffice as long as we take good care to secure it properly. And although we don’t really need an extraordinary amount of CPU power, the more memory our monitoring server has, the better overall performance of the subsystems will be. Therefore, I would highly recommend that you stick at least 512MB if not a GB or more in this box to ensure that it’s able to dedicate enough memory to each task.

Which OS/distribution you choose here is really up to you. Personally, I use Gentoo for it’s speed, power and flexibility. Fedora, Ubuntu or Mandriva will quicken the install process, at the cost of a little less optimization and package customizability. My best recommendation is that you go with what you’re most comfortable with. If you’re not already comfortable running a Linux or BSD server, stick with Fedora, Ubuntu, or Mandriva, or roll the dice. For the faint of heart, and easiest installation of the packages described by this guide, stick with Debian or Ubuntu. A final option is to use the ZoneMinder LiveCD, provided by Ross Melin, which will install Mandriva and pre-install ZoneMinder in one fell swoop. In any case, the installation of the operating system should probably take you between 30 minutes and an hour, depending on the speed of your hardware.

Alright, once you’ve got the base OS installed, your first step will be to harden the server itself, as this device will be more exposed than the workstations in your Internal network. At the very minimum, install and run Bastille on this box prior to going any further.

Next, we’ll need to install a few software packages, as well as any requisite dependencies. The important one here are those mentioned in the list above, specifically: Snort, OSSIM and ZoneMinder. If you used the Mandriva LiveCD mentioned above, you’ll already have ZoneMinder installed and configured, otherwise you’ll have to install some or all of the following: Snort, Apache, PHP, MySQL, Acid, MRTG, ntop, OpenNMS, nmap, Nessus, RRDtool, and ZoneMinder.

In most cases, this isn’t as difficult as it sounds, as the package manager provided with the operating system should handle all dependency resolution and automate the installation process. Further, if you’re using Fedora or Debian/Ubuntu, there are package repositories for both OSSIM and ZoneMinder that will handle everything from the above list. For Debian/Ubuntu, check here and here. Once you have the repositories configured, installing ZoneMinder should be as simple as “apt-get update ; apt-get install zm.” Installing OSSIM is only slightly more complex, and is described in detail here. Total time to complete this phase shouldn’t exceed 2 - 4 hours, depending on your chosen os/distro.

On my Gentoo box, the process was a bit more complicated because I had to install most of these packages individually, then manually configure them to work together as required by OSSIM. Further, the ZoneMinder ebuild in Gentoo’s Portage is quite old, so I had to build that one from scratch, without the help of my package manager.

Step 3: Configuring the Hardware (WAP(s) and Cameras)

Once we’ve got our firewall and monitoring server built and configured, it’s time to drop in our WAPs and IP cameras. If you took my advice and bought yourself a WRT54G or few, I highly recommend that you now consider replacing the stock-Linksys firmware with one of the following replacement firmwares:

Personally, I use the Sveasoft firmware, as it has the most extensive featureset out-of-the-box, and I have my WAPs implemented in a meshed configuration via WDS, extending my wireless network to all of the rooms in my house without the need to run additional cable.

If you are using 4 interfaces on your primary firewall, make sure that the 4th interface and the WAP are on an isolated subnet. I would highly recommend disabling SSID broadcast, and if your client device(s) support it, I would suggest using WPA in lieu of WEP as WEP will provide only marginal security of your wireless traffic (and consequently your network), at best. If you have the patience, I also recommend enabling MAC-address filtering for an additional layer of security, especially if you expect to have less than 5 or 10 wireless clients. In 2002, I wrote a white-paper on Best Practices for Securing 802.11 Networks, and most of the principles still hold true; it would be worth a quick review prior to plugging your WAPs into the rest of your network.

Configuration of your cameras will depend on the vendor, but for my D-link DCS-900s all I had to do was set IPs and configure listening ports. By default, the camera provides an integrated webserver with Live ActiveX/Java viewers, though they tend to be tediously slow. A second port provides realtime static image display, in JPG format. As such, I would suggest that you put your IP cameras in your DMZ network, as this will provide proper protection for all devices running listening services and will ease the process of configuring ZoneMinder on your management server within the same subnet.

Step 3: Configuring ZoneMinder and OSSIM

Configuration of ZoneMinder and OSSIM are probably the most complex tasks in this setup, though with the simple network configuration that I’ve outlined above, still shouldn’t take more than a few hours.

There is an excellent article at Newsforge about configuring ZoneMinder using the wireless version of the D-link cameras. The document offers some specific tips and tricks that I found very valuable when configuring the software, one of which I’ll reference below:

The next task is to create monitors. A monitor is a camera. I’ve seen comments in the ZoneMinder forum about having more than one monitor per camera, but I think the relationship is almost always one-to-one. To create a monitor, click the Add New Monitor button on the ZM Console.

The ZM Monitor New screen shows five tabs across the top. Here are the changes to the default values that I made. Just as with the options, your mileage will vary depending on the particulars of your installation.

That last setting was necessary for me because I ran out of shared memory space with the default setting of 100. You may not need to adjust your own buffer size at all. Originally, I wrote that you might need to change to a new Shared Memory Key (ZM_SHM_KEY) in the System tab of ZM Options. but Coombes has advised me that is not necessary unless you have two complete Zoneminder installations on the same machine. He said “Ordinarily you would change your system config to allow more shared memory to be allocated (either in total or per request)”. Update: I wrote a column about how to do this on Linux.com. You can find it here.

I then repeated the Add New Monitor process to configure the second remote camera. The only difference in the two configurations was the name (TheDriveway) and the Remote Host Port (9294).

I highly recommend reading the article in its entirety, as the article covers significant detail with regards to advanced setup and configuration of ZoneMinder.

Finally, you’ll need to tweak your OSSIM configuration. If you have all of the requisite packages installed, and/or you followed along with one of the OSSIM install documents referenced above, you should be about 3/4 of the way there. The rest of your work will be defining sensors and hosts and tweaking basic parameters, then setting up alerts. It would probably be a good idea to go ahead and reboot your Monitoring Server at this point in time, however, to ensure that all necessary services are running and everything is humming along as expected prior to attempting further configuration. Also, upon boot, make sure and review the end of your syslogs to ensure that there aren’t any problems that were not obvious during the boot process, and use netstat to make sure you have necessary listening ports open.

The following resources will likely prove useful while tweaking OSSIM, and make sure to join the mailinglists and/or participate in the forums if you have problems.

At this point in time, you should have a fully configured and relatively well-secured network (hell, your security will probably exceed that of a lot of large enterprise organizations I know, whose names I will omit to protect the guilty innocent). You should have both wired and wireless subnets with strong egress rules in place thanks to your stateful firewall, and you have a DMZ containing your monitoring systems for both your physical premises and logical infrastructure. And, if you used existing hardware, or purchased inexpensive COTS equipment, and you stayed focused on building and securing your network in one session, you probably spent less than $800 and no more than about 8 or so hours setting all this up and taking it live.

In fact, I think you deserve a big pat on the back and a nice cold beer — and since you’re security and monitoring systems are now all automated — a nice long nap afterwards. One final thing — if you have comments or suggestions on how I can improve or amend this article, please don’t hesitate to add your comments or suggestions below and/or email me via the kaos.theory contact link on the front page. You’ll also find my PGP key on public keyservers, and can verify the fingerprint on the kaos.theory member’s page!

13 Responses to “Armor Your Palace”

I would really like to see a full write-up / howto on building and configuring OSSIM for Gentoo. When you get some extra time, which I know you’ll have plenty of after Beth goes to New York, you should write down everything you had to do to get OSSIM fully functional on Gentoo.

Disabling SSID broadcast only cripples your wireless network without hiding anything. The SSID is still sent in the clear by anyone using the network.

Cracking WEP is more difficult than cloning a MAC address. You only have to capture one packet to get a valid MAC address.

Like MAC addresses, remember that pre-shared keys are for encryption and are not an authentication mechanism. I recommend 802.1x (EAP/TLS, PEAP, etc.) using something like FreeRadius. You might need a higher end AP that supports it, though.

Good article, Vic. Of course, you’re absolutely right in that MAC address filtering and disabled SSID broadcast are not necessarily “good” security measure, though they are adequate for most home networks.

Of course, bear in mind that many EAP variants have significant problems of their own. Most implementations of EAP lack mutual authentication (though EAP/TLS specifically is not susceptible to this). Further, in Windows XP, one can easily disable certificate checking for 802.1x with EAP/TLS, which effectively eliminates the mutual authentication that EAP/TLS otherwise provides.

In reality, none of the mechanisms for securing wifi are perfect, and many are fundamentally flawed. However, in this case the idea is to build a “sufficiently secure” wired/wireless network for home and small office use, and I honestly believe that a combination of WEP or WPA with disabled broadcast and MAC address filtering will thwart all but the most determined attackers in a residential neighborhood.

Another excellent firmware for the Linksys WRT54G is DD-WRT, check them out at http://www.dd-wrt.com/. I believe it is derived from the Sveasoft firmware.

I just finished flashing my WRT54G v2.0 to DD-WRT v22-r2, and have since enabled QoS / packet shaping for SSH (and Skype and SIP if I ever need them). It’s also nice to have the option available to increase wireless Xmit power from default 28mW up to 251mW.

Great stuff. But It would be nice addition to include also securing with radius server + chillispot (it is used for authenticating users of a wireless LAN + It supports web based login). Chilli can also be installed to WRT54G/GS.
Any way nice arcticle!

i deffenitely agree with Vic Ricker, Mac Flitering was ment to be secure, but you just cant imagine that no one “hear’s/see’s” you

there was an article, i dont really remember where, it was kinda a Spoof, yes it Spoofs itself mac address every time it sends a frame one address higher…i didnt really read the whole article, but i just remember my bookmarks got deleted.

you’re right that a filesystem implementation, where the directories can be synthesized as needed, can avoid some of the combinatorial problems, but it opens the system to a different type of resource exhaustion, as an antagonist can open deep paths and exhaust kernel memory. This moves the denial of service from per-filesystem to system wide. Ultimately, I think a cap on the depth of the link set is needed by any implementation.

Good article, Vic. Of course, you’re absolutely right in that MAC address filtering and disabled SSID broadcast are not necessarily “good” security measure, though they are adequate for most home networks.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Notify me of followup comments via e-mail

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.